Posted in ICT

Ransomware: All You Need To Know About The Global Cyber Attack

More than 150 countries and over 300, 000 computers have been affected by the recent Ransomware global cyber attack worldwide.

This attack, known as “WannaCry” or “WannaCrypt”, spreads by itself between computers and does not require human interaction. It restricts access to the affected system as well as demanding for the payment of ransom.

Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.

National Information Technology Development Agency (NITDA) on Monday 15 May 2017 drew the attention of Nigerians to the global cyber-attack that affected computers in various countries Worldwide.

The National Information Technology Development Agency (NITDA) is an Agency under the Federal Ministry of Communications. The Agency was created in April 2001 to implement the Nigerian Information Technology Policy and co-ordinate general IT development and regulation in the country.

In addition, to advising government on how to enhance the security of the nation.

Technically, Ransomware can be defined as a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it.

The ransomware attack exploited vulnerabilities in the Microsoft Windows Operating System, especially those not currently supported such as Windows XP (Microsoft as since stop giving support and patches to Windows XP), Windows 8 and Windows Server 2003.

Its Operation

The concept of file encrypting ransomware was invented and implemented by Young and Yung at Columbia University and was presented at the 1996 IEEE Security & Privacy conference. It is called cryptoviral extortion and is the following 3-round protocol carried out between the attacker and the victim.

Attacker→Victim – The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
Victim→Attacker – To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it.

ransomware-wannacry-cyber-attack

It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery.

It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.

Attacker→Victim – The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker’s private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.

The symmetric key is randomly generated and will not assist other victims. At no point is the attacker’s private key exposed to victims and the victim need only send a very small ciphertext (the encrypted symmetric-cipher key) to the attacker.

Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service.

The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program).

Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and “pirated” media.

Mitigation

Microsoft released a patch for the vulnerability in March and machines that were updated with the patch would have been automatically protected.

Should your system be infected by ransomware, isolate the system from your network to prevent the threat from further spreading. In addition, the following actions can be taken immediately:

Remove the system from Network

Do not use flash/pen drive, external drives on the System to copy files to other systems;

Format the System completely and get fresh OS copy installed

If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would stop further damage to data, without salvaging any already lost.

A new categories of security software, specifically deception technology, can detect ransomware without using a signature-based approach. Deception technology utilizes fake SMB shares which surround real IT assets.

These fake SMB data shares deceive ransomware, tie the ransomware up encrypting these false SMB data shares, alert and notify cyber security teams which can then shut down the attack and return the organization to normal operations.

Cyber Security experts have suggested precautionary measures for dealing with ransomware, which I think is the best form of protection from the attack. These precautionary measures could be:

Use software or other security policies to block known payloads from launching to prevent infection, but will not protect against all attacks.

Keeping “offline” backups of data stored in locations inaccessible to the infected computer, such as external storage drives, prevents them from being accessed by the ransomware, thus accelerating data restoration.

History

Encrypting ransomware
The first known malware extortion attack, the “AIDS Trojan” written by Joseph Popp in 1989, had a design failure so severe it was not necessary to pay the extortionist at all.

Its payload hid the files on the hard drive and encrypted only their names, and displayed a message claiming that the user’s license to use a certain piece of software had expired.

The user was asked to pay US$189 to “PC Cyborg Corporation” in order to obtain a repair tool even though the decryption key could be extracted from the code of the Trojan. The Trojan was also known as “PC Cyborg”. Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research

Non-encrypting ransomware
In August 2010, Russian authorities arrested nine individuals connected to a ransomware Trojan known as WinLock. Unlike the previous Gpcode Trojan, WinLock did not use encryption.

Instead, WinLock trivially restricted access to the system by displaying pornographic images, and asked users to send a premium-rate SMS (costing around US$10) to receive a code that could be used to unlock their machines. The scam hit numerous users across Russia and neighboring countries—reportedly earning the group over US$16 million.

Mobile ransomware
With the increased popularity of ransomware on PC platforms, ransomware targeting mobile operating systems have also proliferated. Typically, mobile ransomware payloads are blockers, as there is little incentive to encrypt data since it can be easily restored via online synchronization.

Mobile ransomware typically targets the Android platform, as it allows applications to be installed from third-party sources.

The payload is typically distributed as an APK file installed by an unsuspecting user; it may attempt to display a blocking message over top of all other applications,

while another used a form of clickjacking to cause the user to give it “device administrator” privileges to achieve deeper access to the system.

Different tactics have been used on iOS devices, such as exploiting iCloud accounts and using the Find My iPhone system to lock access to the device.[56] On iOS 10.3, Apple patched a bug in the handling of JavaScript pop-up windows in Safari that had been exploited by ransomware websites.

WannaCry
In May 2017, the WannaCry ransomware attack spread through the Internet, using an exploit vector that Microsoft had issued a “Critical” patch for (MS17-010) two months before on March 14, 2017.

The ransomware attack infected over 75,000 users in over 99 countries, using 20 different languages to demand money from users.

The attack affected Telefónica and several other large companies in Spain, as well as parts of the British National Health Service (NHS), where at least 16 hospitals had to turn away patients or cancel scheduled operations, FedEx, Deutsche Bahn, as well as the Russian Interior Ministry and Russian telecom MegaFon.

NITDA is working with critical stakeholders to come up with ways in which the Nigerian cyberspace can be adequately protected.

For issues and for more information, you can Contact NITDA Computer Emergency Readiness and Response Team (CERRT) for assistance. They can be reached via telephone on +2348023275039 or e-mail: support@cerrt.ng.

Advertisements

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s